Page 1 of 1
Getting crazy with routes within subnets
Posted: Thu Apr 25, 2019 5:29 pm
by elpeter
Hi all,
I'm new to networking and not so new to IT. I'm having so much trouble trying to reach one subnet from another... let me explain the "Frankenstein" that I have.
Mikrotik router (hEX S) connected to Internet through SFP+
Main net is 192.168.0.0
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.0.1/24 192.168.0.0 ether2-MasterGreen
1 192.168.2.1/24 192.168.2.0 ether2-MasterGreen
2 192.168.5.1/30 192.168.5.0 ether3-AsusAP
3 X 192.168.1.2/24 192.168.1.0 ether1-Router
4 192.168.1.2/24 192.168.1.0 sfp1
5 10.108.89.224/10 10.64.0.0 vlan3
6 D 88.1.136.189/32 192.168.144.1 pppoe-out1
7 D 10.23.12.28/19 10.23.0.0 vlan3
8 192.168.122.10/24 192.168.122.0 ether2-MasterGreen
Asus ADSL Router (RT-AC68U) configured as router mode only to have WiFi managed by it on subnet 192.168.5.0.
Getting struggle trying to connect from a computer on lan 192.168.0.0 to a computer on lan 192.168.5.0. Not sure if it's a route issue or an issue on the Asus router not allowing traffic from "WAN" to LAN.
Here's the Mikrotik's routes list.
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 X S 0.0.0.0/0 192.168.0.50 1
1 X S 0.0.0.0/0 192.168.0.50 1
2 X S 0.0.0.0/0 192.168.0.50 1
3 ADS 0.0.0.0/0 pppoe-out1 1
4 X S 0.0.0.0/0 255.255.255.255 255
5 X S 0.0.0.0/0 255.255.255.255 255
6 S 0.0.0.0/0 255.255.255.255 255
7 X S 0.0.0.0/0 255.255.255.255 255
8 ADC 10.23.0.0/19 10.23.12.28 vlan3 0
9 ADr 10.31.255.128/27 10.23.0.1 120
10 ADC 10.64.0.0/10 10.108.89.224 vlan3 0
11 ADC 192.168.0.0/24 192.168.0.1 bridgeMain 0
12 ADC 192.168.1.0/24 192.168.1.2 bridgeMain 0
13 ADC 192.168.2.0/24 192.168.2.1 bridgeMain 0
15 ADC 192.168.5.0/30 192.168.5.1 bridgeMain 0
17 ADC 192.168.122.0/24 192.168.122.10 bridgeMain 0
18 ADC 192.168.144.1/32 xx.xx.xx.xx pppoe-out1 0
BTW, wifi is working as expected, has access to every host on 192.168.5.0 lan and on 192.168.0.0 also and of course access to Internet.
Any help will be truly appreciated.
Thanks in advance from a complete newbie.
Re: Getting crazy with routes within subnets
Posted: Thu Apr 25, 2019 7:25 pm
by anav
Two things get configs up and runnning faster.
1- diagram especially for complicated setup (this does not appear to be the case).
2- post your config, there are too many linkages to look at any one aspect in isolation.
/export hide-sensitive file=yourconfigapr25
In your case its probably the forward chain firewall setup but will reserve judgement until we see the config.
Re: Getting crazy with routes within subnets
Posted: Thu Apr 25, 2019 9:37 pm
by elpeter
Thanks anav for getting back to me.
I'll try to make a diagram of the network.
In the meantime, here's my exported config.
Thanks!!!
EDIT:
I finally have it working!! I started from installing dd-wrt on my Asus to see if I could manage something different within it. By starters I could set the Asus into Router mode instead of Gateway one. But the key was that in the Mikrotik I added to the ETH port the first IP in the subnet 5 range so the Mikrotik itself created the rule to 192.168.5.0/24 using the MT IP as gateway... wrong!! the gateway must've been the IP on the Asus WAN interface. So I deleted the IP address in the Mikrotik, created the route to 192.168.5.0/24 with GW the WAN Ip from the Asus and bang!! It worked like a charm
Now I just want to know as a matter of learning how could I get everything working isolating the networks, taking the Asus Eth port out of the Bridge. I guess that should be possible but really have no idea how to make it work
Re: Getting crazy with routes within subnets
Posted: Fri Apr 26, 2019 10:31 am
by elpeter
Here's my network schema
Pethernet.png
Re: Getting crazy with routes within subnets
Posted: Fri Apr 26, 2019 5:50 pm
by mkx
Now that we can see what you want to achieve, post full config from RB (/export hide-sensitive and redact public IP address and SSSID/PSK) ... and we might give some advice.
Re: Getting crazy with routes within subnets
Posted: Fri Apr 26, 2019 6:36 pm
by anav
Concur, still waiting for config.
Re: Getting crazy with routes within subnets
Posted: Sat Apr 27, 2019 12:51 pm
by elpeter
Apologies I deleted it due to the changes I mentioned.
Here you go.
Thanks!!
yourconfigapr25.rsc
Re: Getting crazy with routes within subnets [SOLVED]
Posted: Sat Apr 27, 2019 1:54 pm
by mkx
Your network chart is missing some data. For example, what is Asus WAN IP address? I guess 192.168.0.2. Which is not OK if you really want to control traffic berween 192.168.5.0/24 to everywhere else (right now, you probably have a routing triangle where devices on 192.168.0.0/24 use MT to send traffic towards 192.168.5.0/24, while return traffic flows from Asus directly to devicey bypassing MT).
You have to introduce another subnet just to connect Asus and MT ... preferably also remove ether3 from common bridge on MT (if ether3 is exclusively used to connect Asus). A /30 network will do (assuming Asus can candle it).
#remove ether from bridgeMain
/ip address
add interface=ether3-AsusAP address=182.168.13.1/30 #Asus will have 192.168.13.2/30
/ip route
add dst-address=192.168.5.9/24 gateway=192.168.13.2 #remove existing route towards same subnet
On Asus, set 192.168.13.1 as default gateway.
Then you configure firewall rules to control what 192.168.5.0/24 can do. The "routing subnet" doesn't affect these rules at all.
Re: Getting crazy with routes within subnets
Posted: Sat Apr 27, 2019 5:12 pm
by anav
As usual disagree with MKX!
There is no need for double nat and two routers in the same network.
There is all the reason in the world to keep it simple and use
MT for routing/dhcp
Asus for WIFI
VLANS for separation of users (normal/guests) for wired and wireless.
The problem I see is that the RT-AC68U is not vlan capable.
It appears that one could possibly program it in the CLI on Merlin build but I cannot find any definitive third party site that
reflects its part of their build ??????
Re: Getting crazy with routes within subnets
Posted: Sat Apr 27, 2019 10:32 pm
by mkx
There is no need for double nat and two routers in the same network.
Where in my previous post did you notice NAT? The whole post is about routing.
Re: Getting crazy with routes within subnets
Posted: Sat Apr 27, 2019 10:40 pm
by elpeter
Thanks both for getting back to me now I'm even more confused
MKX,
You're right the WAN IP for the Asus is 192.168.0.2, sorry forgot to mention that. What would be the new subnet purpose for? I mean I already have the 5 subnet just to isolate Wifi subnet from cable lan. Also I'm not sure if I would be able to get everything working within the FW and different subnets I'm quite new at this and a bit confused on how to make network works... I guess I need a lot of reading to do yet...
Anav,
What you mentioned will be ideal but again my lack of knowledge won't allow me to do so. BTW the DD-WRT in the Asus allows me to configure Vlans as far as I can see but again no idea how to achieve it.
Thanks for reading me!
Re: Getting crazy with routes within subnets
Posted: Sat Apr 27, 2019 10:54 pm
by mkx
What would be the new subnet purpose for?
Its purpose is to force traffic between 192.168.5.0/24 and 192.168.0.0/24 through firewall on RB ... to really have control over it. Which you can't do properly if Asus' WAN IP address is in 192.168.0.0/24.
On the other hand it would make lots of sense if you used Asus to simply bridge AP with ethernet (meaning you'd connect RB to LAN ethernet port on Asus). Then you'd disable DHCP server on Asus, configure RB's ether3 with IP address from 192.168.5.0/24, run DHCP server with appropriate address pool and rest of settings (gateway, DNS server, ...) for that subnet on RB.
This setup would give full control over 192.168.5.0/24 connectivity outwards without having the additional subnet I wrote about in my previous post.
No need to play with VLANs if you can dedicate ethernet port on RB for ASUS and its clients.
Re: Getting crazy with routes within subnets
Posted: Sun Apr 28, 2019 1:25 am
by elpeter
Thanks MKX,
I think I understood it but not able to make it work... Here's what I done so far:
#remove ether from bridgeMain
/ip address
add interface=ether3-AsusAP address=192.168.15.1/30 #Asus will have 192.168.15.2/30
/ip route
add dst-address=192.168.5.0/24 gateway=192.168.15.2 #remove existing route towards same subnet
Asus AP:
WAN:
IP: 192.168.15.2/30
GW: 192.168.15.1
DNS: 192.168.0.50 (Not sure if this will work but my DNS is on that server)
LAN:
IP: 192.168.5.1/24
GW: 192.168.0.1
DNS: 192.168.0.50
DHCP Forwarded to 192.168.0.1
But this configuration doesn't work, the wifi clients does not have any IP from DHCP and if I set it manually hey don't reach internet.
Which routes should I create over the AsusAP to both get Internet and to reach both subnets 0 and 5?
What am I missing?
Thanks for your time, appreciate it.
Re: Getting crazy with routes within subnets
Posted: Sun Apr 28, 2019 11:53 am
by mkx
Try to run DHCP server for 192.168.5.0/24 on Asus.
Rethink your firewall rules to see if some might be blocking internet access from 192.168.5.0/24. Make sure your src-nat rules cover that subnet.
Set default route on Asus (target 0.0.0.0/0) to use gateway 192.168.15.1 (I'm not sure current setting translates to that).
Try to ping Asus from MT and from some other subnet to verify routing on both MT and Asus (assuming firewall on Asus is turned off).
Re: Getting crazy with routes within subnets
Posted: Mon Apr 29, 2019 9:17 pm
by elpeter
It's finally working!!
Thanks MKX for your support.
There were a couple of problems, first, the dhcp from the mikrotik was missing the option for relay, and after that the dhcp on the Asus needed to be forwarded to 192.168.15.1 after that, everything worked like a charm and now I have the control over routes and everything.
Thanks!!!!